Noteworthy .htaccess Tips To Improve Your WordPress Site Security

The .htaccess (also referred to as Hypertext Access) file is a configuration file that you’ll come across when fixing your WordPress site’s permalink settings. Furthermore, the file also helps in improving your website security and performance.

In case your site doesn’t contain the .htaccess file, then you can create one on your own and even upload it. For doing so, first you’ll have to create a blank text file and save it as .htaccess. Next, upload the file to your WP installation root. Finally, make sure to use a period (.) at the beginning of your filename (simply put, save your file as “.htaccess” instead of htaccess).

If you’re a beginner and want to create a .htaccess file without much of the headache associated with programming, you can use the software instead, such as .htaccess file generator, for generating .htaccess code. There are plenty of options in the software that you can configure, but that’s not the agenda of our post.


In this post, we’ll talk about a handful of noteworthy tips for .htaccess to strengthen your site security.

Let’s Get Started

Be sure not to take any chances with the .htaccess file, as even a slight syntax error can break your website. For instance, forgetting to include a “>” character or any other character can bring down your site. And so, make sure to keep a backup of your .htaccess file prior to making any changes to it.

Store your file backup to a safe place on your system, or in another location, such as on cloud storage etc. After updating your .htaccess file on the server, do refresh your site to check whether your site is still active or not. Don’t forget to miss out this step, as it helps in identifying whether your site is working fine or not.

In case you get a blank screen without wasting a second, upload your saved copy of .htaccess file.

Snippets For .htaccess To Make Your Site Secure 

  1. Keep Your .htaccess File Secure

Considering the fact that, the .htaccess file controls lots of important things on your site, it becomes needful to keep your file secure from any unauthorized access. For this purpose, avoid malicious users from accessing your .htaccess file, by listing your static IP address in it as shown in the following snippet:

order deny, allow
allow from x.y.w.z # This is your static IP
deny from all

  1. Disable Directory Browsing

Your server, by default, automatically displays an index page if it can’t locate your index files – be it index.php or index.html. This can make your site prone to attacks, as it reveals critical information using which hackers can exploit a vulnerable file in your site. And so, make sure to disable directory browsing in your WordPress site, by adding the following line of code to your .htaccess file:

Options All -Indexes

  1. Protect WP-Config.php

wp-config.php is one of the most important configuration files in your WordPress root directory. The file contains vital information including login details for your site’s database and maintenance settings. And so, you should make sure to prevent unauthorized users from accessing the wp-config.php file, by simply adding the snippet as given below:

<files wp-config.php>
order allow,deny
deny from all

  1. Disable Image Hot Linking

At times, other site owners may directly link to images from your website. It saves hard disk space by not having to store the images. Although, this isn’t much of a concern for most of the WP users, but for sites having plenty of images, hotlinking can become a severe problem. And so, it is advisable to disable hotlinking in WordPress. You can do so by adding following snippet to your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?*$ [NC]
#RewriteRule .(gif|jpg)$ – [F]
RewriteRule .(gif|jpg)$ [R,L]

  1. Limit Access to the WordPress Admin Area

One of the most common entry points for attackers is the WordPress admin area. Getting access to the admin area gives hackers the freedom to do anything to your site. But you can make the admin area more secure, by adding the following lines of code:

order deny,allow
deny from all
allow from

Make sure to change the above with your own IP address. And then, upload the file to your site’s wp-admin/ folder. This will make you access the WordPress admin area, but will block other WordPress users. And so, to provide access to other website administrators and staff, you can add additional IP addresses. For this, you’ll have to add additional “allow” lines or simply list the IP addresses and separate them using commas. For example:

allow from,,

  1. Ban IP Addresses of Malicious Users

This is an obvious one. If you receive some odd requests from an IP address, chances are that you might want to block it from accessing your site. For this, just add the following code to your .htaccess file:

order allow,deny
deny from
allow from all

Note: Make sure to replace ‘xxx’ in the above code snippet with the IP address that you would like to block.

Wrapping Up!

While making edits to the .htaccess file or creating new ones can help fix your site’s permalinks and even make your site more secure, but a single mistake can prove disadvantageous for your site. Since, website owners running WordPress sites major concern is security, it is better to learn about the tips for your .htaccess file to protect your WordPress site from hackers and other unknown threats.

Author Bio – Sarah Parker is an experienced PSD to WordPress service provider, and a web designer. With this article, she is making people aware about .htaccess tips to improve WordPress site security.